The Rogue AP Isolation feature detects and blocks any unauthorized APs in the network. You can either log or block the rogue device. If the action requested is to log the rogue device, the MAC address of the rogue device is logged in the system logs (RMON). If the action is to block the rogue device, the traffic to and from the MAC address of the rogue device is blocked. The MAC is also logged in the system log.
When an Aruba AP detects a rogue AP on the network, it sends out the MAC address of the AP as well as the MAC of the clients connected to the AP to the switch using the ArubaOS-Switch proprietary LLDP TLV protocol. The switch then adds a rule in its hardware table to block all the traffic originating from the rogue AP’s MAC address.
The rogue-ap-isolation command configures the rogue AP isolation for the switch and gives the option to enable or disable the rogue AP isolation feature. The rogue-ap-isolation action command gives you the ability to block the traffic to or from the rogue device or log the MAC of the rogue device. When the action is set to block, the rogue MAC is logged as well. By default, the action is set to block.
The rogue-ap-isolation whitelist command lets you add devices detected as possible rogue APs to the whitelist. A maximum of 128 MAC addresses are supported for the whitelist.
The clear rogue-aps command clears the detected rogue AP device MAC address.
More information
| rogue-ap-isolation |
| rogue-ap-isolation action |
| rogue-ap-isolation whitelist |
| clear rogue-ap-isolation |
-
You can add a maximum of 128 MAC addresses to the whitelist.
-
When a MAC is already authorized by any of the port security features such as LMA, WMA, or 802.1X, the MAC is logged but you cannot block it using the
rogue-ap-isolationfeature. A RMON event is logged to notify the user. -
When a MAC is already configured as an IP received MAC of a VLAN interface, the MAC is logged but you cannot block it by using the
rogue-ap-isolationfeature. A RMON event is logged to notify the user. -
When a MAC is already locked out via
lockout-macor locked down using thestatic-macconfiguration, the MAC is logged but you cannot block it using therogue-ap-isolationfeature. A RMON event is logged to notify the user. -
The number of rogue MACs supported on a switch is a function of the value of
max-vlansat boot time. Since the resources are shared with thelockout-macfeature, the scale is dependent on how many lockout addresses have been configured on the switch using thelockout-macfeature.The following table lists the scale when there are no lockout addresses configured on the switch:
Max VLAN Supported MACs 0 < VLAN <= 8
200
8 < VLAN <= 16
100
16 < VLAN <= 256
64
256 < VLAN <= 1024
16
1024 < VLAN <= 2048
8
2048 < VLAN <= 4094
4
The switch will throw a RMON log and the rogue MAC will be ignored when the limit is reached.
![[NOTE: ]](images/note.gif)
NOTE: If the
max-vlansvalue is changed to a different value, the scale of rogue MACs supported will not change until the next reboot.
The Rogue AP isolation feature uses the MAC lockout feature to block MACs in hardware. Therefore, any MAC blocked with the Rogue AP isolation feature cannot be added with the lockout-mac or [static-mac] command if the action type is set to block.
switch#
lockout-mac 247703-7a8950
Cannot add the entry for the MAC address 247703-7a8950 because it is already
blocked by rogue-ap-isolation.
switch#
static-mac 247703-7a8950 vlan 1 interface 1
Cannot add the entry for the MAC address 247703-7a8950 because it is already
blocked by rogue-ap-isolation.
Similarly, any MAC that was added with the lockout-mac or static-mac command and that is being detected as rogue will be logged, but not blocked in hardware as it already is set to block. If the MAC is removed from lockout-mac or static-mac but is still in the rogue device list, it will be blocked back in hardware if the action type is block.
Any configuration using LMA, WMA, 802.1X, or Port-Security will not be blocked if the Rogue AP isolation feature is enabled. All these features act only when a packet with the said MAC is received on a port.
If rogue-ap-isolation blocks a MAC before it is configured to be authorized, packets from such MACs will be dropped until one of the following happens:
Once a MAC has been authorized by one of these features, it will not be blocked by Rogue AP isolation. A RMON will be logged to indicate the failure to block.
The Rogue AP module will retry to block any such MACs periodically. In the event of the MAC no longer being authorized, Rogue AP isolation will block the MAC again. No RMON is logged to indicate this event.
The Rogue AP isolation feature will not block a MAC configured as an IP receive MAC address on a VLAN interface. This event will be logged in RMON if such MACs are detected as rogue.
Conversely, any MAC already blocked by Rogue AP isolation will not be allowed to be configured as an IP receive MAC address of a VLAN interface.
switch#
vlan 1 ip-recv-mac-address 247703-3effbb
Cannot add an entry for the MAC address 247703-3effbb because it is already
blocked by rogue-ap-isolation.
-
switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Disabled Rogue AP Action : Block Rogue MAC Address Neighbour MAC Address ----------------- --------------------- -
switch# rogue-ap-isolation enable switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Enabled Rogue AP Action : Block Rogue MAC Address Neighbour MAC Address ----------------- ---------------------
-
Change the action type from block to log:
switch# rogue-ap-isolation action log switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Enabled Rogue AP Action : Log Rogue MAC Address Neighbour MAC Address ----------------- ---------------------
-
List the current whitelist entries:
switch# show rogue-ap-isolation whitelist Rogue AP Whitelist Configuration Rogue AP MAC ------------------ -
switch# rogue-ap-isolation whitelist 005056-00326a switch# show rogue-ap-isolation whitelist Rogue AP Whitelist Configuration Rogue AP MAC ------------------ 00:50:56:00:32:6a
syntax
rogue-ap-isolation {enable | disable}
Description
Configures the rogue AP isolation for the switch.
Parameters
Enables the rogue AP isolation.
Disables the rogue AP isolation.
More information
| rogue-ap-isolation action |
| rogue-ap-isolation whitelist |
| clear rogue-ap-isolation |
syntax
rogue-ap-isolation action {log | block}
Description
Configures the action to take for the rogue AP packets. This function is disabled by default.
Parameters
Configure the action to take for rogue AP packets. By default, the rogue AP packets are blocked.
Options
Logs traffic to or from any rogue access points.
Blocks and logs traffic to or from any rogue access points.
More information
| rogue-ap-isolation |
| rogue-ap-isolation whitelist |
| clear rogue-ap-isolation |
syntax
[no] rogue-ap-isolation whitelist <MAC-ADDRESS>
Description
Configures the rogue AP Whitelist MAC addresses for the switch. Use this command to add to the whitelist the MAC addresses of approved access points or MAC addresses of clients connected to the rogue access points. These approved access points will not be added to the rogue AP list even if they are reported as rogue devices.
Parameters
Specifies the MAC address of the device to be moved from the rogue AP list to the whitelist.
Options
Removes the MAC address individually by specifying the MAC.
Restrictions
You can add a maximum of 128 MAC addresses to the whitelist.
More information
| rogue-ap-isolation |
| rogue-ap-isolation action |
| clear rogue-ap-isolation |
syntax
clear rogue-ap-isolation { <MAC-ADDRESS> | all }
Description
Removes the MAC addresses from the rogue AP list.
Parameters
Specifies the MAC address of the device to be moved from the rogue AP list.
Clears all MAC addresses from the rogue AP list.
Restrictions
The MAC addresses cleared using this option will be added back to the rogue list under the following cases:
-
The LLDP administrator status of the port on which the AP that reported the MAC is disabled and enabled back.
-
The data that is in the rogue AP TLV sent from the AP that informed the rogue MAC has changed.
-
To permanently ignore a MAC from being detected as rogue, add it to the whitelist.
More information
| rogue-ap-isolation |
| rogue-ap-isolation action |
| rogue-ap-isolation whitelist |